IoT Payments: addressing the protection problem

Wednesday, 20 February 2019

The proliferation of interconnected IoT devices offers exciting new opportunities to develop payment applications – in the home, on the move and in a wide range retail, automotive and industrial environments. But a lack of standardization, slow adoption in the financial sector, and a complex technology ecosystem presents considerable challenges that threatens to stifle innovation and market evolution. SPA investigates.

While market projections differ – from Gartner’s much cited 50 billion connected devices by 2020, to IHS Markit’s rather more conservative 30.73 estimate – there’s little doubt that the Internet of Things (IoT) is a massive and growing opportunity for payment services.

At the same time, the financial services sector has been slow to embrace IoT payments. To date, the sector has been more focused on mobile applications and wallets. This is slowly beginning to change. New use cases and commercial IoT applications capable of initiating remote payment are certainly emerging, including smart (voice-enabled) assistants and in-car dashboard systems. But the pace could be accelerated.

There are significant security risks that must be addressed if this is to happen. According to security firm, Symantec, the number of malicious attacks on IoT-enabled devices grew some 600% between 2016/17. IoT is certainly a large and growing target, and with personal data ‘gold’ on offer for successful hackers, there’s every reason to assume attacks will continue to grow in volume, ferocity and sophistication.

This shouldn’t come as a surprise. As IoT becomes a ubiquitous part of everyday lives, we’re exposing every greater amounts of sensitive, personal and financial data to a host of semi (or completely) autonomous, connected devices. As consumers, it’s almost impossible to know whether our connected cars, smart homes and healthcare systems are adequately protected – particularly as a new crop of immature application developers and device manufacturers appears. Added to which, in many use cases, the payer is not physically present. The authority to initiate the payment is therefore delegated to the device – which poses its own set of issues.

However, while broadening the list of connected ‘things’ certainly broadens the risk, this is by no means a good reason to put the brakes on change. Indeed, where payment is concerned the opportunities are many. SPA believes we should push ahead, but do so with caution and a better understanding of how to protect these internet-connected devices to minimize the risk of attack and fraud.